Hack Attack

In February, an unknown hacker typed in a command that caused a
harem of slave computers called zombies to begin what is known as a
distributed denial of service (DDoS) attack. Their target was giant
portal site Yahoo!. The secret army of computers flooded Yahoo!
servers with repeated requests for data, keeping almost all
legitimate visitors from reaching the site for three hours. In the
days that followed, copycat hackers had their way with some of the
biggest and busiest e-commerce and portal sites on the Internet.
Microsoft, eBay, and Buy.com were just a few of the Goliaths
knocked down, allegedly by the likes of a few David-sized teen
hackers.

Though one arrest has been made (a 15-year-old has been charged
with disabling Cnn.com), the DDoS attacks are still being seen as
"victorious" and hordes of curious techno-wizards are
nosing around in cyberspace right now, sniffing out unsecure
servers on which to display their criminal prowess. And just in
case you were feeling left out, rest assured: The big sites
aren't the only ones at risk. Smaller sites may be just as
vulnerable to hacking, whether from unknown pranksters, thieves
seeking your customer's financial information or saboteurs in
search of company secrets. But don't shut down your e-shop
yet.

While every computer connected to the Internet is exposed to the
prying eyes of the world, there are steps you can take to evaluate
and eliminate potential security risks. The first step is to be
aware of the ways high-tech criminals attempt to compromise network
security. Read on to educate yourself about common hacking methods
and how to reduce your risks.

Tina Gasperson writes about technology, business and the
Internet. Her articles and columns have been published at
Andover.net, Office.com, TechTraveler.com and many other
publications. Visit her Web site at www.gasperson.com.

The Trojan Horse

Trojans are evil programs that hackers either secretly install
on your system or trick you into installing yourself by disguising
them as good programs. These programs enable hackers to access your
network remotely, gain complete control and perform any number of
dirty deeds, including making your computer into a zombie and using
it to perform DDoS attacks.

Build a firewall. Firewalls control access to your
network according to a set of rules you devise, and protect against
unauthorized logins and access. Most network software allows you to
set up a firewall. According to the Internet Firewall
Frequently Asked Questions Web site, for a firewall to work, it
must be a part of a consistent organizational security
architecture. Simply put, firewalls can't protect against all
types of attacks, but they're a good first step.

Act like a hacker. Self-taught hacker Markus
"Fluid" Delves says the best way to protect your server
is to try to break into it yourself. "I suggest heading to a
site like Church of the Swimming
Elephant or Security
Focus. They have all sorts of excellent information on how to
protect your machine," says Delves, owner of Fluid Enterprises
Inc., a network consulting and security firm. "Security Focus
has a large database of exploits [scripts that hackers can run on
servers]. Test every one of them against your server. If one
happens to work, you can find out how to patch the hole. I
constantly check here for new holes that could appear on my
system."

The Numbers Game

Many hackers simply want access to private information, like
databases filled with credit card numbers and sensitive company
data. All they have to do is figure out your administrator
password. Many times they'll attempt to grab it through
"social engineering"-calling or e-mailing you or an
employee, claiming to be a technical support person. Then
they'll go to work on schmoozing you out of your password.
Hackers may also try to "crack" your password, choosing
from a variety of password dictionaries, which automatically try
thousands of word/letter combinations. Take the following measures
to avoid this scam:

Create and use good passwords. A successfully cracked
administrator password gives an intruder virtually unlimited power,
so make sure your password is complex. AntiOnline.com, an Internet
security journal, recommends you use a combination of upper and
lower case letters, numbers and symbols. Don't just spell a
word backward or add a couple of numbers to the end of your name.
Never use a password that can be found in a dictionary of any
language. Create a unique password for every instance where one is
required, and change your passwords periodically.

Separate customer data. "The safest thing to do is
have a Web server that's totally separate [from confidential
information]," says Erik B. Sherman, networking expert and
author of Home Networking! I Didn't Know You Could Do
That (Sybex, $19.99) Transfer credit card and other personal
data to a stand-alone computer each day, erasing the sensitive
information from the server.

Never tell. Obviously, never divulge your password,
ever, no matter who claims to need it.

Create a company security policy. If you have employees
or contractors with access to the network, outline procedures for
password safety in a company security policy. Make sure your staff
understands how vital password secrecy is to data security, and
that you are the only person with whom they should ever share their
password.

The Inside Job

The worst threat against your computer files and databases may
be an employee or contractor with legitimate access. It's a lot
easier for someone on the inside to copy sensitive information to a
disk than it is to penetrate a firewall. Use these precautions with
everyone from clients and employees to contractors:

Watch your back. Exercise due caution when allowing
employees and contractors access to your network. Pay attention to
their actions. Are they copying files to a disk? Having secretive
telephone conversations or sending confidential faxes? They may be
stealing company information. Don't get paranoid, but don't
get lackadaisical either.

Whom do you trust? Sometimes, it may be a dishonest
customer who tries to get the upper hand. "In January of last
year, we found our server was hanging unexpectedly," says Dan
Arndt, sales director and VPO for Rockliffe Systems Inc., an
Internet-based e-mail software developing company that recently
moved out of founder John Davies' home to new headquarters in
San Jose, California. "We learned that certain hacking
attempts on Microsoft servers could cause this. We upgraded the
server but couldn't determine the types of attacks and where
they were coming from. [Later,] we got involved with the beta
testing of a product called BlackICE."

Greg Gilliom, president and CEO of NetworkICE, the company that
created BlackICE, says of the software, "If you have any
valuable information on your server and someone tries to break in
and get it, you'll know about it and BlackICE blocks the
attempt." The program runs in the background, logging
intrusion attempts along with identification information, while
providing a customizable firewall for sites that allow database
information retrieval by site visitors. By setting the software to
a "paranoid" access level, for instance, all attempts to
access the server that don't fit into a pre-determined range
are rejected. This allows your customers to spend money freely but
keeps nosey crooks out.

After Rockliffe began running the product on its server, the
hacker made another attack on the system. This time, the company
was able to track the identity of the hacker, contact his Internet
service provider and have his account closed. Probably the work of
a stranger, right? Not according to Rockliffe owner John Davies.
"We linked the hacker's domain name to his customer record
in our database. I guess he really liked our software. He was
trying to see if he could find any license keys."

Asking The Experts

Once you've learned to think like a hacker, consider
enlisting the services of an expert. "Security can get so
complex so quickly, that even major corporations will hire security
experts. Chances are, unless you're an expert in the area,
you're not going to know enough," Sherman says. IBM Global Services provides "Ethical
Hacking," an alternative to hiring a full-time security guru.
For between $15,000 and $40,000, a team of expert hackers performs
a thorough review of your overall network design. Then they'll
attempt to gain unauthorized access to your server and you'll
get a complete report, along with recommendations for immediate and
long-term security improvements.

What can you do if your budget isn't big enough to hire a
team of white-hatted hackers or a security genius? Move the whole
thing offsite, like Rockliffe Software did shortly after the
hacking incident. "Running a server locally can be
problematic, especially if your Internet connection goes down. To
be honest, I wouldn't recommend it to anybody," Davies
says.

"People who have servers in their homes have a lot of
challenges because they have to manage the software and the traffic
and they have to be on call 24 hours a day," says Laura Zung,
vice president of product management for Verio Inc., a Web hosting company that
offers secure e-commerce packages with built-in encryption.
"The very best option for homebased entrepreneurs is a hosting
account and e-commerce software. It gives the best price
performance and is very secure." With equipment in your home,
you're responsible for your customers' security. If you
sign up for a remotely hosted Web site, then the ball is in the
provider's court. A Web host also absorbs most of the overhead
and setup costs, creating an inexpensive, virtually hack-free
solution.

Extra Protection

Whether you keep your server at home or farm it out to a Web
host, you can insure yourself against electronic attacks. INSUREtrust.com offers policies
that cover breach of computer security, computer theft, damage to
data and software, and loss of business income due to illegitimate
use or a denial of service attack. Marsh Inc. provides a "Net
Secure" policy that covers security breaches, information
theft and denial of service attacks.